PT-2023-32785 · Wso2 · Wso2
Published
2023-12-15
·
Updated
2025-06-05
·
CVE-2023-6837
CVSS v3.1
8.5
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
WSO2 products (affected versions not specified)
Description
The issue allows a malicious actor to perform user impersonation using JIT provisioning under specific conditions. These conditions include an IDP configured for federated authentication with JIT provisioning enabled and the "Prompt for username, password and consent" option, as well as a service provider using the IDP for federated authentication with the "Assert identity using mapped local subject identifier" flag enabled. The attacker must have a fresh valid user account in the federated IDP and knowledge of the username of a valid user in the local IDP.
Recommendations
At the moment, there is no information about a newer version that contains a fix for this vulnerability.
Incorrect Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Wso2